Attack built on previous Tinder exploit earned researcher – and ultimately, a charity – $2k
A security vulnerability in popular dating app Bumble enabled attackers to pinpoint other users’ precise location.
Bumble, which has more than 100 million users worldwide, emulates Tinder’s ‘swipe right’ functionality for declaring interest in potential dates and in showing users’ approximate geographic distance from potential ‘matches’.
Using fake Bumble profiles, a security researcher fashioned and executed a ‘trilateration’ attack that determined an imagined victim’s precise location.
As a result, Bumble fixed a vulnerability that posed a stalking risk had it been left unresolved.
Robert Heaton, software engineer at payments processor Stripe, said his find could have empowered attackers to discover victims’ home addresses or, to some degree, track their movements.
However, “it wouldn't give an attacker a literal live feed of a victim’s location, since Bumble doesn't update location all that often, and rate limits might mean that you can only check [say] once an hour (I don't know, I didn't check),” he told The Daily Swig.
The researcher claimed a $2,000 bug bounty for the find, which he donated to the Against Malaria Foundation.
Flipping the script
As part of his research, Heaton developed an automated script that sent a sequence of requests to Bumble servers that repeatedly relocated the ‘attacker’ before requesting the distance to the victim.
“If an attacker (i.e. us) can find the point at which the reported distance to a user flips from, say, 3 miles to 4 miles, the attacker can infer that this is the point at which their victim is exactly 3.5 miles away from them,” he explains in a blog post that conjured a fictional scenario to demonstrate how an attack might unfold in the real world.
For example, “3.49999 miles rounds down to 3 miles, 3.50000 rounds up to 4,” he added.
Once the attacker finds three “flipping points” they would have the three exact distances to their victim required to execute precise trilateration.
However, rather than rounding up or down, it transpired that Bumble always rounds down – or ‘floors’ – distances.
“This discovery doesn’t break the attack,” said Heaton. “It just means you have to edit your script to note that the point at which the distance flips from 3 miles to 4 miles is the point at which the victim is exactly 4.0 miles away, not 3.5 miles.”
Heaton was also able to spoof ‘swipe yes’ requests on anyone who also declared an interest to a profile without paying a $1.99 fee. The hack relied on circumventing signature checks for API requests.
Trilateration and Tinder
Heaton’s research drew on a similar trilateration vulnerability unearthed in Tinder in 2013 by Max Veytsman, which Heaton examined among other location-leaking vulnerabilities in Tinder in a previous blog post.
Tinder, which hitherto sent user-to-user distances to the app with 15 decimal places of precision, fixed this vulnerability by calculating and rounding distances on their servers before relaying fully-rounded values to the app.
Bumble appears to have emulated this approach, said Heaton, which nevertheless failed to thwart his precise trilateration attack.
Similar vulnerabilities in dating apps were also disclosed by researchers from Synack in 2015, with the subtle difference being that their ‘triangulation’ attacks involved using trigonometry to ascertain distances.
Heaton reported the vulnerability on June 15 and the bug was apparently fixed within 72 hours.
In particular, he praised Bumble for adding extra controls “that prevent you from matching with or viewing users who aren’t in your match queue” as “a shrewd way to reduce the impact of future vulnerabilities”.
In his vulnerability report, Heaton also recommended that Bumble round users’ locations to the nearest 0.1 degree of longitude and latitude before calculating distances between these two rounded locations and rounding the result to the nearest mile.
“There would be no way that a future vulnerability could expose a user’s exact location via trilateration, since the distance calculations won’t even have access to any exact locations,” he explained.
He told The Daily Swig he is not yet sure if this recommendation was acted upon.